Hackers have stolen vast amounts of user data from the quiz app including email addresses, phone numbers and full names.

Shares

Hackers have obtained over two million email addresses, full names and almost 300,000 cellphone numbers from a popular social networking app with a large number of female users many of which are under the age of 18.

The app called Wishbone allows users to create and vote on simple two-choice quizzes. Its user information was leaked after unknown hackers found an unprotected database and stole all of the information contained within it.

The breach was exposed when security researcher Troy Hunt, who runs the website “Have I Been Pwned,” received a copy of a MongoDB database belonging to the app. The database contained 2,236,452 full names, 2,247,314 unique email addresses, 287,502 cellphone numbers and other personal information from Wishbone including personal data such as gender and birth dates.

On Wednesday, Science Inc. who owns the app, confirmed the breach noting that hackers “may have had access to an API without authorization.” Greg Gilman, the co-founder and general counsel of the company, was able to confirm that hackers would be unable to access Wishbone's user data again, saying: “The vulnerability has been rectified.”

As of this time, Wishbone is investigating the cause of the breach and has notified users in a statement, saying:

“On March 14, 2017 Wishbone became aware that unknown individuals may have had access to an API without authorization and were able to obtain account information of its users. The information involved in the incident included Wishbone users’ user names, any personal names provided by users during account registration, email addresses, and telephone numbers. If you elected to provide date of birth information, such information was also included in the incident. However, no passwords, user communications or financial account information were compromised in the incident."

"Upon learning of the incident, Wishbone immediately acted to investigate and initiate precautionary measures. Although no passwords were compromised in the incident, you may wish to consider changing your password as a preventative measure.”